vSphere 6.5 provides support for encryption of individual virtual machines. This VMware feature works with VMware storage policies and a third-party Key Management Server (KMS) or Native Key Provider, preventing VM data from being read from an ESXi host or storage subsystem without the encryption keys.
How Commvault Works with VM Encryption
Commvault can back up encrypted VMs using HotAdd, NBD, or NBDSSL transport modes. SAN, directsan and NAS modes are not supported.
During backups, VMware automatically decrypts virtual machine data and passes data to Commvault in an unencrypted format. You can use Commvault data encryption to protect backup data during transmission and for storage on media.
When a VM is restored from backup, the VM data is not encrypted. You must apply the appropriate VMware storage policy to re-enable encryption for the VM.
For more information, see the VMware guide Virtual Machine Encryption Interoperability.
Note
Live browse and restore of guest volumes encrypted using encryption software is not supported. For more information, see Live Browse for VMware.
General Requirements
The user account for the vCenter virtualization client must have the following permissions to perform backups and restores for encrypted VMs:
-
Cryptographic Operations > Add Disk
-
Cryptographic Operations > Direct Access
-
Cryptographic Operations > Encrypt
HotAdd Requirements
- The VSA proxy that is used for the backup must be encrypted.